|
On Wed, 19 Sep 2001 robert.gehr@xxxxxxxxxx wrote:
> Hello there
>
> Let me desribe my Problem (Setup)
>
> I am running a LVS Setup here with two Real Servers (Web Servers). The
> requests for those Web Servers come in over a Foundry box that is located
> at a different place. The DNS for the Web Server resolves to the Foundry
> IP.
> The Foundry that it is set up like a proxy so everything arriving at our
> director has the same source IP. Because we are using sessions on our
> WebServers (cookies) a persistent value is set and therefore all requests
> land on the same Real Server.
What is the exct packet flow ? foundry -> lvs -> real ? In that case, just
remove the foundry and adjust IP addresses on the LVS director.
>
> The folks responsible for the Foundry told me that they could configure it
> in a way that they hand down the IP from the Client to me but this would
> cause a Problem if the client sits behind a firewall doing stateful
> inspection.
>
> The scenario is like follows.
>
> Client A at 123.123.123.123 opens up a http connection to our Web Server
> and gets via DNS the IP of the foundry box which is at e.g. 233.233.233.233
> so the firewall at the client side remembers that connection. If I answer
> back directly from my Real Server which is lets say at 244.244.244.244 to
> the client
> the firewall on the client side discards tha packet because it expects it
> to come from 233.233.233.233
That is stupid. In that case the connection cannot be established regardless
of the fact that a stateful firewall exists or not.
You just cannot send the SYN to 233.233.233.233 and establish the connection
when you get the SYN/ACK from 244.244.244.244. It's against the TCP semantics
That's the problem that LVS/NAT solves. It NATs the destination address (as
opposed to source address used in masquerade). The possible drawback is that
the return packets must pass through the director (in most cases you set the
default gateway to the director).
>
> What can be done ? The foundry box can not be thrown out.
Why not ? Replace it with the LVS. Result: smaller response times, fewer
timouts. To have an idea: http://www.linuxvirtualserver.org/deployment.html
toward the end of page, "Tiscali Group's massive web hosting services".
Everything works better since we renounced to the foundry.
>
> Would it be a solution for me to mangle the outgoing IP address from the
> Real Servers to become the IP address of the Foundry box ?
LVS/NAT. Then you don't need the foundry anymore.
Radu-Adrian Feurdean
mailto: raf @ chez.com
-------------------------------------------------------------
Majority: The quantity that distinguishes a crime from a law.
|
